HiddenWasp Malware Stings Targeted Linux Systems
by Ignacio Sanmillan
May 29, 2019
Intezer
https://intezer.com/blog/research/hiddenwasp-malware-targeting-linux-systems/
| Notes |
|---|
| Linux Malware |
| HiddenWasp |
| HiddenWasp isn’t meant for cryptocurrency mining or DDoS; it is for persistent, targeted remote control |
| Mirai |
| Azazel rootkit |
| low-confidence attribution to China |
| Linux malware tends to be less sophisticated than Windows malware |
| Linux antivirus tend to not be as good as Windows antivirus |
| Linux malware is sometimes very sophisticated and evasive |
| open-source malware is often used or modified by attackers |
| VirusTotal |
| undetected on VirusTotal |
| Winnti Linux variants https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a |
| bash script |
| Shen Zhou Wang Yun Information Technology Co., Ltd. |
| sample uploaded to VirusTotal by Shen Zhou Wang Yun Information Technology |
| implant |
| ThinkDream hosting company |
| Hong Kong |
| HISTFILE |
| export HISTFILE=/dev/null |
| export HISTSIZE=0 |
| export HISTFILESIZE=0 |
| hard-coded credentials |
| /lib/se1inux* (transposed 1 instead of lowercase l) |
| persistence |
| persistance via user account |
| malware has update capabilities |
| tarball |
| rootkit |
| LD_PRELOAD |
| I_AM_HIDDEN, HIDE_THIS_SHELL environment variables |
| persistence via /etc/rc.local |
| ELF |
| ET_DYN |
| shared object |
| hook |
| string obfuscation |
| xor string obfuscation |
| 0xdeadbeef xor key |
| command and control |
| hiding network connections |
| /proc/net/tcp |
| port 61061 – default port for Azazel rootkit |
| static-linked |
| stdlibc++ |
| ChinaZ |
| Elknot implant https://intezer.com/blog/research/chinaz-updates-toolkit-by-introducing-new-undetected-malware/ |
| MD5 implementation shared with Elknot and HiddenWasp |
| code reuse |
| multiplatform malware |
| l11l1[.]com |
| HttpFileServer |
| tool use as attribution |
| passive DNS |
| attribution by domain reuse |
| Gh0st |
| ServStart |
| RAT |
| DDoS |
| PE file |
| file infector |
| Sality |
| Parite |
| Virut |
| malware analysis |
| C++ |
| XorDDoS |
| AmpManager - resembles NewManager, but more commands and DDoS capabilities |
| file upload capability |
| NewManger - minimalist backdoor with RCE and file upload capabilities |
| root user |
| staged malware |
| daemonize |
| symbolic links |
| /proc/net/dev |
| /proc/stat |
| malware sends host information to command and control server |
| beaconing |
| packet |
| handshake |
| malware sends kernel version to command and control server |
| DDoS amplification methodogies: SSDP, DNS, NTP |
| DDoSManager - similar to AmpManager, uses different DDoS attack methologies |
| BillGates malware https://www.novetta.com/wp-content/uploads/2015/06/NTRG_ElasticBotnetReport_06102015.pdf |
| SingTool – DDoSManager |
| packets encoded with simple sub/xor algorithm |
| DDoSManager writes configuration to /tmp/Cfg.9 |
| attribution by similar build toolchains |
| YARA |
| IoCs |
|---|
| syn.l11l1[.]com |
| ccyk.l11l1[.]com |
| yk.l11l1[.]com |
| fd.l11l1[.]com |
| 1bfa8af4b51d9fc54d4baa49df27116f44ce269da9123625c1f2ba17289ea2cd |